The present art provides several manners by which a computerized system (including mobile devices, such as smart phones) can be protected from a malicious code:                a. Preventing unauthorized code (hereinafter, also referred to as “program” or “application”) from entering the system, by checking its validity (such as its signature, its originating source, etc.);        b. Performing a static analysis of the program to ensure that it does not include a malicious code;        c. Shielding the operating system from being exploited through known vulnerabilities by constantly patching such vulnerabilities as soon as they are exposed.        d. Monitoring the behavior of suspicious programs while they run on the system or on a sandbox.        
However, the abovementioned prior art means for the system protection suffer from at least one of the following flaws:                a. They require a prior knowledge by the protector either with respect to the code, to its origin, or to its behavior;        b. They require assumptions with respect to normal or anomalous behavior of the protected system.        c. They require prior knowledge of exploitable vulnerabilities, and will not identify a new (hitherto unknown) exploit.        d. They may detect the malicious behavior too late, after a significant damage has already been caused to the system including the protected resources.        e. It is not clear when and how the malicious activity is triggered, furthermore, modern malware use evasion and anti-forensics techniques which severely hinder their detection.        f. A previously certified program may at some stage open the gate for malicious code.        g. Malicious code may operate solely in memory without passing through the file system.        
The present invention is particularly, but not exclusively, applicable to any operating system whose source code is available for recompilation (Open Source); The concepts of the present invention can also be applied to binary code (Closed Source). Moreover, the present invention is particularly but not exclusively applicable to ‘isolated’ operating systems which are intended to run special purpose programs and are not designated to run a variety of third-party consumer applications; Yet the concepts of the present invention can be applied to other kinds of operating systems including operating systems for mobile devices.
Over the last few years, there have been reports of highly protected operating systems (OS), even isolated ones, that were compromised by malicious programs. Unlike a regular consumer-oriented OS, an isolated OS is designated to run special purpose programs. Malicious exploitation of such operating systems may bear critical consequences. At the same time new kinds of operating system such as Android were also being compromised at an accelerating rate.
Open source operating systems (primarily Linux) are widely being adopted in a wide range of domains, from smart phones to High Performance Computing (HPC). The open source operating systems may also be used in isolated systems. It is therefore an object of the present invention to provide a method and system for protecting a computerized system from malicious code, either known or unknown, either on open source systems or on closed source systems.
It is an object of the present invention to provide a method and system for protecting a computerized system from malicious code, which overcomes all the above mentioned drawbacks of existing means for detection and prevention.
It is another object of the present invention to provide a method and system for protecting a computerized system from malicious code, which does not require any prior knowledge about the malicious program, its structure, its behavior, or its origin.
It is still another object of the present invention to provide a method and system for protecting a computerized system from malicious code, which does not require any assumption with respect to the normal or anomalous behavior of the protected system.
It is still another object of the present invention to provide a method and system for protecting a computerized system from malicious code, which does not require prior knowledge of exploitable vulnerabilities.
It is still another object of the present invention to provide a method and system for protecting a computerized system from malicious code, which can prevent any operation of an unauthorized program, or to route it to operate in a restricted supervised mode.
It is still another object of the present invention to provide a method and system for protecting a computerized system from malicious code, which is immune to common evasion and anti-forensics techniques.
It is still another object of the present invention to provide a method and system for protecting a computerized system from malicious code which bypasses the standard gate keeping mechanisms of a protected system.
It is still another object of the present invention to provide a method and system for protecting a computerized system from malicious code which operates solely in memory without passing through the file system.
It is still another object of the present invention to provide a method and system for protecting a computerized system from malicious code, which may either replace conventional protection means, or may cooperate with them.
It is still another object of the present invention to provide a method and system for protecting a computerized system from malicious code, which may be easily updated on a periodical basis, and may include random ingredients to thwart a bypass by the attacker.
Other objects and advantages of the present invention will become clear as the description proceeds.